Xem got stolen from private key wallet

No, I created my own address. I used the exchange LiteBit.eu to have it sent to my address mentioned above. (NDEBOG-2OE2D5-O6VMCO-HSV7IW-YTKEBY-REFS7R-FB5N)

I forgot: I also visited the Dim Ico site to get the Nem address for participating in the Ico. The one I sent my 1500 Xem to.

Something interesting has happened… o.O

take a look at this message the thieves account has sent me after he was done stealing the Xem and Dim Tokens and Coins.

653ed2bd12d710bc0d0ebf5a3149d5641b283f8a55c9ffaab4370844af84ab70

They spent 6 Xem just to give me the following message:
слово:12345q | Счет:NDEBOG2OE2D5O6VMCOHSV7IWYTKEBYREFS7RFB5N | ключ:35d5e5ccc8cddfa7d4ec03064f1d6f073def802e5373dbda060ed273efb7

I ran the words through Google translate and they are Russian for: Word, Score, Key (respectively)

Now at least I know a bit more:
They probably stole my temporary .wlt file, which i didn’t give a strong enough password for because i just created it for a one time transaction and purged it afterwards right away.

This Was The Attackers Entrance

And yes, the private key is correct…

I will continue to research how it was possible for them to access the wlt-file from the local storage. This might be a significant security exploit.

Now everything comes together why they waited till Saturday to empty my account, because they probably needed that time to brute force crack the password of the temporary wlt-file. I created that file the Monday before to send Xem to the Dim Ico.

That’s a nice way of saying “pwned” for them…
:confused:

PS: feel free to log into that wallet of mine since it is now open for everyone… what an irony…

I will still have to confirm the exact way but this is a start for research:
https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Local_Storage

If i understand it correctly, local storage is not secure at all. more to come…

I was a victim of cross site scripting XSS…

Can you explain how the attacker could get your wallet file then?
Did you use an unsafe computer? A computer where others could know you made a private key on it? Do you know who has access to the computer?

Why didn’t you made this account as multisig after you saw the first transaction? The private key would be nullified and you would gain all access to your account. Next time use multisignature account, I am personally using 2 of 3, with NanoWallet as main wallet, phone wallet as a 2FA and one paper wallet as a backup. If you would like to stay with NEM, I could help you with setiing it up…

I used a totally safe computer, since it was a live session of a Linux mint OS. No one had access to the private key, since i only printed it out and rebooted the live session.
They got hold of the wlt-file through XSS. That, I am sure of now. How else would they know the password if they didn’t brute force crack it.

So which site did you visit? You mentioned the DIMCOIN site but I hardly can imagine that they hacked that site… hmm

I planned to do this, but I had not enough time to set it up. work, family.
next time i will totally set up a multi signature account. thank you for offering your help with that. i will come back to you with a private message if i need help.

1 Like

I try to recall that, because one of those sites did the XSS attack. Since it was a live season, I no longer have the browsers history… I will try to figure out which sites i visited and inspect all of them.

On the weekend, I will have time to also check the NanoWallet source to see if i can find the vulnerability.

Edit: I also don’t think that the Dim Coin site is responsible, but i will check them out nonetheless.

Well to be honest - you have a good concept with the live CD and so on but then you should be so consequent and use that only for creating wallets and nothing else. +_+

And as you see you should always used a proper password even if it’s only temporary.
We had already a case where somebody had his very low-level-secure password brute-forced and lost 6M xem…

Yes this was my fault, I know. I didn’t browse the web while having my wallet open. All I did was to find out the wallet address for the DIM Ico. But I must have stumbled upon the malicious website in the process.

That sucks… still, for me 5687 Xem was much money…

I will still try to find the vulnerability in the NanoWallet and the attackers website. Because everyone is at risk. If they have your wlt-file, they will try to crack it, no matter how good the password used.

Every hacked / lost xem hurts doesn’t matter how many. :cry:

As far as I know you can only crack (decrypt) a wlt file with the password. Which boils down to brute forcing the password or obviously utilizing a key logger.

Anyways I hope you might remember the malicious site. At least this is a warning for others not to do the same mistakes.

I hope so as well… I will keep you all updated!

1 Like


If I see this correctly, other online services could extract variable values from the local storage, presuming they know the key value.

@Saul thought this might have some importance…

r3n3 : there is a security fix pending, but the details of exploit haven’t yet been published, devs know a bit more, NEM Beta 0.6.91

@Psyder No, this update has nothing to do with this Local Storage issue.

We have played around a bit.

CHROME and SAFARI allow the following proof of vulnerability:

  1. Create the .HTML & .JS files below
  2. Run the .HTML in the browser which you use for NanoWallet
  3. See the contents of the LOCALSTORAGE displayed
  4. (Bruteforcing the symmetric encryption is another thing)

index.html
<!doctype html>

<html lang="en">
<head>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1" />
  <title>Show Browser LocaStorage</title>

</head>

<body>
  <pre id="result"></pre>

  <script src="index.js"></script>
</body>
</html>

index.js
document.getElementById("result").innerHTML = JSON.stringify(localStorage);



If you feel your login password into your Nanowallet may be too weak (bruteforce-able) - it does not help to export the private key, and re-create a new wallet via “Sign Up” in the Nanowallet.
This is because the old localstorage may already be stolen and worked on by brute-forcers.
Mitigation: Transfer your XEM to a new NEM ACCOUNT which resides in a secure wallet.
For some time, we may have to live with the fact that the browsers’ localstorage is not “secure”.

Greetings,
Rene - LuxTag powered by NEM
[Thanks to @musdom (Developer at LuxTag) ]

1 Like

Can someone explain how anybody can steal the localstorage on ubuntu live?

If you happen to land on a malicious website with your wallet loaded and not yet purged.

My understanding is that they already have stolen many wlt-files that way. brute forcing is just a matter of time unless a password as good as the private key is being used. my weak password took them 5 days.